FIX: Simplify nginx config change (#30383)

The security fix in 15b43a2 also introduced some unrelated refactoring to the file, which seems to be causing issues in some environments. This commit reverts the refactoring, and applies the security fix to each block individually.

config/nginx.sample.conf

@@ -99,23 +99,26 @@ server {
     # auth_basic on;
     # auth_basic_user_file /etc/nginx/htpasswd;
 
-    # proxy_set_header directives are inherited from the previous configuration
-    # level if and only if there are no proxy_set_header directives defined on
-    # the current level.
-    proxy_set_header Host $http_host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Request-Start "t=${msec}";
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $thescheme;
-    proxy_set_header X-Sendfile-Type "";
-    proxy_set_header X-Accel-Mapping "";
-
     location ~ ^/uploads/short-url/ {
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_set_header X-Sendfile-Type "";
+      proxy_set_header X-Accel-Mapping "";
       proxy_pass http://discourse;
       break;
     }
 
     location ~ ^/(secure-media-uploads/|secure-uploads)/ {
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_set_header X-Sendfile-Type "";
+      proxy_set_header X-Accel-Mapping "";
       proxy_pass http://discourse;
       break;
     }
@@ -129,6 +132,13 @@ server {
     location = /srv/status {
       access_log off;
       log_not_found off;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_set_header X-Sendfile-Type "";
+      proxy_set_header X-Accel-Mapping "";
       proxy_pass http://discourse;
       break;
     }
@@ -166,9 +176,12 @@ server {
     }
 
     location ~ ^/uploads/ {
-      # proxy_set_header directives are inherited from the previous configuration
+
-      # level if and only if there are no proxy_set_header directives defined on
+      # NOTE: it is really annoying that we can't just define headers
-      # the current level.
+      # at the top level and inherit.
+      #
+      # proxy_set_header DOES NOT inherit, by design, we must repeat it,
+      # otherwise headers are not set correctly
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Request-Start "t=${msec}";
@@ -176,7 +189,6 @@ server {
       proxy_set_header X-Forwarded-Proto $thescheme;
       proxy_set_header X-Sendfile-Type X-Accel-Redirect;
       proxy_set_header X-Accel-Mapping $public/=/downloads/;
-
       expires 1y;
       add_header Cache-Control public,immutable;
 
@@ -208,9 +220,6 @@ server {
     }
 
     location ~ ^/admin/backups/ {
-      # proxy_set_header directives are inherited from the previous configuration
-      # level if and only if there are no proxy_set_header directives defined on
-      # the current level.
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Request-Start "t=${msec}";
@@ -218,7 +227,6 @@ server {
       proxy_set_header X-Forwarded-Proto $thescheme;
       proxy_set_header X-Sendfile-Type X-Accel-Redirect;
       proxy_set_header X-Accel-Mapping $public/=/downloads/;
-
       proxy_pass http://discourse;
       break;
     }
@@ -227,6 +235,14 @@ server {
     # acceleration for backups, avatars, sprites and so on.
     # see note about repetition above
     location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker|extra-locales/(mf|overrides)) {
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_set_header X-Sendfile-Type "";
+      proxy_set_header X-Accel-Mapping "";
+
       # if Set-Cookie is in the response nothing gets cached
       # this is double bad cause we are not passing last modified in
       proxy_ignore_headers "Set-Cookie";
@@ -245,6 +261,13 @@ server {
 
     # we need buffering off for message bus
     location /message-bus/ {
+      proxy_set_header X-Request-Start "t=${msec}";
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $thescheme;
+      proxy_set_header X-Sendfile-Type "";
+      proxy_set_header X-Accel-Mapping "";
       proxy_http_version 1.1;
       proxy_buffering off;
       proxy_pass http://discourse;
@@ -261,6 +284,14 @@ server {
   }
 
   location @discourse {
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Request-Start "t=${msec}";
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $thescheme;
+    proxy_set_header X-Sendfile-Type "";
+    proxy_set_header X-Accel-Mapping "";
     proxy_pass http://discourse;
   }
+
 }